We have written in the past about the valuable tool provided by the Data Protection Act (DPA) (and the Freedom of Information Act) enabling those contemplating litigation to embark on a fishing expedition, not otherwise permitted. An interesting development is the addition of claims of data-protection breaches to cases of defamation. In a recent case, a supply teacher claimed that he had not only been defamed by his school and local authority by being assessed as a risk to children, but those assessments, and hence opinions, were inaccurate and amounted to a breach of the DPA.

The supply teacher had been accused of attempted rape in 2001. He was arrested but no charges were laid because CCTV unequivocally proved that he was elsewhere at the relevant time. The police concluded that it was a clear case of mistaken identity and that the supply teacher was innocent. An enhanced CRB check issued in 2004 included the fact of the arrest in the non-conviction section, which the supply teacher challenged in the courts. A subsequent enhanced CRB check obtained by his new employer in 2009 made no reference to the original arrest for rape and, in fact, made no adverse references to the supply teacher at all.

A year 8 pupil made a complaint regarding the supply teacher’s conduct in 2009, which did not involve touching. After an investigation by the school, no further action was taken. Also in 2009, a complaint was made by a 19-year old pupil (an adult) that the supply teacher had tried to kiss her in a night club. He was suspended and ultimately dismissed following a strategy meeting with the local authority’s designated child-protection officer, who had sought information from the supply teacher’s previous employer and the police and shared it with the school. The matter was referred to the Independent Safeguarding Authority, who concluded that the supply teacher should not be included in either the children’s or the adult’s barred lists.

Documents held by the local authority included both oblique and direct references to the allegations of rape in 2001 and to the presumed risk the teacher posed to children e.g.

“... However there are significant risk factors relating to Mr XXX based on allegations made against him by children. There have been allegations made against Mr XXX relating to rape charge (sic). The complexity is that Mr XXX has not been charged with any of the allegations made against him…”.

There were also erroneous references in the records to the sex offenders register, following receipt of an anonymous letter by a person dissatisfied with the way the year 8 pupil’s complaint had been handled.

The court regarded as a very serious matter the fact that the information remained on file. It queried how anyone who had the opportunity to review and consider these matters, as the school and local authority had done as late as 2010, could have concluded that they had any further relevance to any question relating to the supply teacher. Accordingly, he had a real prospect of succeeding in a claim for breach of privacy and of the DPA.

The DPA clearly includes opinions relating to individuals in the definition of “personal data”. It further provides that personal data should be accurate and relevant. Generally, opinions are subjective states and are usually neither right nor wrong. However, an opinion that is based on erroneous facts is amenable to challenge under the DPA.

In the often understandable zeal to protect the vulnerable, staff mistakenly believe that the rights of other individuals are suspended. It is incumbent on staff to exercise care when expressing professional opinions about staff or students, particularly those opinions that have potentially serious consequences for the individuals in question. Staff should therefore take reasonable steps to ensure the accuracy of the facts on which their opinions are based. That the Information Commissioner has the power to impose fines of up to £500,000 for deliberate or reckless serious breaches of the DPA should provide some incentive to do so.